WTOP and Federal News Radio Websites Back After Cyber Attack

WTOP and Federal News Radio Websites Back After Cyber AttackUsers encouraged to run security scan on their computers

WASHINGTON – The news websites, WTOP.com and FederalNewsRadio.com, are accessible to all Internet users following resolution of a cyberattack against the websites. Users accessing the websites from all web browsers, including Internet Explorer, have full access to both websites.

“Getting the websites back up and running safely for all users has been our top priority,” said Joel Oxley, Senior Vice President and General Manager of WTOP and Federal News Radio. “We take our users’ privacy very seriously, and we have taken steps to prevent similar occurrences. We apologize to our user community for any inconvenience that this incident has caused.”

WTOP.com and FederalNewsRadio.com were victims of cyberattacks last week. When the attacks were discovered, an investigation was launched immediately, the malicious code was removed, additional security measures were installed, and federal law enforcement officials were notified of the incident.

Access to the websites from Internet Explorer web browsers was blocked to allow for a careful examination of how site security was compromised and after the initial review, which suggested the hackers may have targeted Internet Explorer users.

Full access to the websites was restored on Saturday evening, May 11, 2013, after a review of site security and implementation of recommendations to fix the vulnerabilities the attacker exploited to gain access to the websites. The review was conducted and recommendations were made by Mandiant, an internationally recognized cybersecurity consulting firm.

“We have found and eliminated the vulnerabilities that were exploited,” said John Spaulding, the Washington, D.C. Director of Information Systems for Hubbard Radio, the parent company of WTOP and Federal News Radio.

Computers infected with the malware may display a pop-up message indicating that the computer is infected with a virus. This pop-up message may be fake if it prompts the user to click on a link, which takes them to a website that is not recognized by the user. This fake website offers security software for sale and prompts users to provide personal information, including credit card numbers. Users should not provide information, if prompted to do so.

Computers with up-to-date anti-virus programs and security software should identify the malware and provide instructions on how to delete or quarantine it.

Out of an abundance of caution, WTOP.com and Federal News Radio users who accessed the websites from any web browser during the cyberattack, which occurred approximately from May 5 to May 7, are encouraged to update and run their security software and perform a malware scan on their computer. (See below for more information on how to run a malware scan.)

In addition, the passwords for all registered users and users who receive breaking news, daily headline or other emails from both websites have been reset. These users have been contacted directly, informed of the need to reset their passwords the next time they visit the websites, and encouraged to change their passwords on other websites where they use the same password.

“During the cyberattack, it is possible the database of WTOP.com and FederalNewsRadio.com email users may have been compromised. However, we have no evidence that any log-in information was actually acquired by the hackers,” said Spaulding.

WTOP.com and FederalNewsRadio.com are reaching out to all users, via email messages and through social media, to make them aware of the situation. More information on how to detect malware on a computer can be found below.

How do I know if my computer was infected?

The malware attack targeted the Internet Explorer browser. If you accessed WTOP.com or FederalNewsRadio.com from Internet Explorer recently, you may have been infected. While other browsers may not have been directly infected, the malware still may have installed a cookie on your browser. We urge everyone to clear their cookies and browser cache no matter what browser they have been using to access WTOP.com or FederalNewsRadio.com, and to do a full virus scan on their machine (see instructions below).

An infected machine may exhibit some or all of the following behavior:

Active programs will be shut down.

Fake virus scanner, often labeled “Internet Security,” will automatically open and run.

Inability to open or access any programs or applications. Attempting to do so may result in a fake virus warning.

Periodic pop-ups displaying a fake warning and/or prompting the user to purchase the full product.

The malware (often called amsecure.exe) resides in memory and adds itself to the list of startup programs.

An infected machine will likely open numerous windows with an error message such as:

“Warning! Running Trial version!! The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!”

“Amsecure.exe detects application that seems to be a key-logger. System information security is at risk. It is recommended to enable the security mode and run total System scanning.”

“Warning! Name: taskmgr.exe. Name: C:WINDOWStaskmgr.exe”

You may also see error messages when trying to access the Internet, such as the ones below:

Iexplore caused an Invalid Page Fault in module3 (the number at the end can vary)

The web page you requested is not available offline

Explorer caused an exception C06D007EH in module Sens.dll

What do I do if I was infected with malware?

If you don’t already have an anti-virus program on your machine, download one. Some free possibilities are AVG or Avast. A removal tool, which may help, can be found here. The best practice for removing malware is to download the anti-virus program to a trusted, non- infected computer instead of the computer which you believe has the virus.

If you have access to a trusted, non-infected computer:

Download the anti-virus program and save it to a CD or flash drive.

Reboot the infected computer.

As soon as you see the screen come on, begin tapping the F8 key.

You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode” option is highlighted.

Press “Enter” to choose “Safe Mode”.

After the computer is done booting into safe mode, insert the CD or flash drive that contains the anti-virus program you downloaded earlier. Navigate to the drive that contains the program. Run the anti-virus program by double clicking on it.

Run a full scan on the computer and have it remove any infected files.

Restart the computer into its regular state.

If you do not have access to a trusted, non-infected computer:

Reboot the infected computer.

As soon as you see the screen come on, begin tapping the F8 key.

You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode with Networking” option is highlighted.

Press “Enter” to choose “Safe Mode with Networking”.

After the computer is done booting into safe mode, open a browser and download the removal tool from: